Difference between revisions of "SELinux Notes"

From Simson Garfinkel
Jump to navigationJump to search
Line 21: Line 21:
If you can't run PHP, you may have the files in the wrong SELinux security context.  You can change the security  
If you can't run PHP, you may have the files in the wrong SELinux security context.  You can change the security  


# Use ls -lZ /var/www/html/xxx  to check the security context
# Check the security context:
    ls -lZ /var/www/html/
 
# You can give the web server read/write access to the files with:
# You can give the web server read/write access to the files with:
     chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx
     chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx


==Problem: CGI scripts won't run.==
==Problem: CGI scripts won't run.==

Revision as of 11:52, 23 April 2019

SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.


References:


Problem: apache can't access the files

   sudo /sbin/restorecon -R /var/www
   setsebool -P httpd_read_user_content 1

Running a web server:

If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security

  1. Check the security context:
   ls -lZ /var/www/html/
  1. You can give the web server read/write access to the files with:
   chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx

Problem: CGI scripts won't run.

In order to be able to execute a CGI script under SELinux, the script must be in the httpd_sys_rw_content_t security context. There are two ways to set the security context:

  1. The context can be manually set on a per-file basis with the _chcon_ command
  2. The context can be derrived from a selinux policy. Policies provide regular expressions that match filenames and automatically assign contexts.

The RedHat SELinux installation appears to install rules for the cgi-bin directory, but it does not allow you to use the .cgi extension.

You can see the selinux policies that might possibly apply to cgi-bin with:

   $ semanage fcontext --list | grep cgi-bin

You can explicitly the script the SELinux context cgi-bin directory with:

   $ chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/script.cgi

You can take it away with:

   $ chcon -t unlabeled_t /var/www/cgi-bin/script.cgi

Check the file's SELinux attributes with `ls -laZ`:

   $ ls -laZ /var/www/cgi-bin/script.cgi

Looks like we can add a policy with the semanage command. I tried this to make everything in the bin directory within html executable:

   $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
   $ restorecon -R -v /var/www/html/bin



References:

Disabling SELinux

Don't do this. People will get angry.

  • edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'

Problem: RHEL doesn't support PHP7.x

You want PHP7 to run mediawiki.

Solution:

  1. Install httpd, httpd-devel and php
  2. Now download PHP7
   ./configure --with-apxs2=/usr/bin/apxs --enable-mbstring --with-mysqli --with-openssl
  1. And let httpd scripts make outbound TCP connections:
   # setsebool -P httpd_can_network_connect 1


For running mediawiki, also see: